algorithm 11 mistake mac

David Shaw dshaw at
Wed Jul 8 00:02:42 CEST 2009

On Jul 7, 2009, at 5:32 PM, Robert J. Hansen wrote:

>> [I]t's chopping sha256 down to 224 bits to fit.
> As I understand things, this is largely (almost entirely)  
> irrelevant.  Am I mistaken?

Possibly.  It depends on what you believe it is irrelevant for.

A user using SHA-256 reasonably expects to get 256 bits worth of  
hash.  It tends to be a surprise that GPG is silently lowering that to  
224 bits behind the scenes (especially since the signature still  
identifies as SHA-256).  It would be unfortunate, particularly on a  
public mailing list, to give the impression that using SHA-256 instead  
of SHA-224 with a DSA key built for 224 bits actually got you the  
requested 256 bits of hash.  A more dramatic example would be someone  
using SHA-512 with such a DSA key.  Despite the massive hash you are  
working with, you still only get to use 224 bits of it.

It's an easy mistake to make, as this is not the case for RSA keys,  
which use whatever hash you like without any truncations.

Or are you asking if there is there a significant difference between  
SHA-256 truncated to 224 bits and straight SHA-224 in terms of hash  
strength?  If so, no, there really isn't.  SHA-224 in fact *is* a  
truncated SHA-256 with a different initialization.


More information about the Gnupg-users mailing list